Skip to content

v2.141

Choose a tag to compare

View all tags
@github-actions github-actions released this 29 Apr 16:19
· 298 commits to main since this release
v2.141
b8f646f

What's Changed

Fixed

  • Admin lockout prevented on database backend switch (#96). Switching the database backend (SQLite ↔ PostgreSQL) no longer locks the admin out. Boolean and JSON columns are now coerced correctly when migrating rows from SQLite to PostgreSQL, the migration runs per-table in its own transaction so a single bad row no longer aborts the whole switch, and the active admin session survives the cutover.
  • PostgreSQL backups via pg_dump. The Docker image now ships postgresql-client, so PostgreSQL-backed instances can produce native pg_dump backups during backend migrations and scheduled backups.

Changed

  • In-app help covers v2.128–v2.140 features in English plus all 8 translated languages (fr, de, es, it, ja, pt, uk, zh).
  • README features and roadmap refreshed for v2.128 → v2.140.

Internal

  • CI: backend test collection no longer fails on missing SECRET_KEY / JWT_SECRET_KEY — workflow now exports test-mode env vars before pytest runs.
📜 Recent release history (last 2 versions)

[2.140] - 2026-04-27

Fixed

  • Certificate SAN database columns now derived from the final SAN list (#94). When a CN is auto-promoted to an rfc822Name SAN at issuance, the san_email / san_dns / san_ip / san_uri columns are now written from the canonical SAN list instead of the raw form payload, so DB queries match the X.509 extension. Migration 027_backfill_san_email re-parses existing certificate PEMs and backfills any rows that were out of sync (idempotent on SQLite and PostgreSQL). Thanks @Hemsby.
  • Certificate and CA files written to disk on creation (#95). Added SQLAlchemy after_insert listeners on the Certificate and CA models that immediately materialize .crt / .key files under data/certs/ and data/cas/ for every creation path (UI, CSR signing, ACME, SCEP, import). The startup file-regeneration scan is kept as a safety net. File-write errors are logged but never abort the database transaction. Thanks @Hemsby.

[2.139] - 2026-04-27

Added

  • ACME External Account Binding (EAB) — RFC 8555 §7.3.4. Full EAB credentials manager (backend models, API, UI under ACME → EAB Credentials). Operators can issue, list, rotate and revoke kid / hmac pairs; clients (cert-manager, certbot, acme.sh) bind their account on newAccount via JWS over the MAC key. Brings UCM in line with public ACME CAs (Let's Encrypt EAB, ZeroSSL, Google Trust Services).
  • ACME custom DNS resolvers for DNS-01 validation. Per-account override of system resolvers when validating _acme-challenge TXT records. Useful for split-horizon DNS, internal authoritatives, or when public resolvers cache stale records during automated renewals.
  • ACME on internal / private IPs — gated by acme.allow_private_ips SystemConfig (default true). HTTP-01 and TLS-ALPN-01 validation now works out of the box for RFC1918, loopback, .lan / .local / .corp targets — UCM's primary deployment model. Cloud metadata IPs (169.254.169.254) remain blocked unconditionally.
  • Kubernetes & cert-manager integration. Reference manifests under examples/kubernetes/cert-manager/ (HTTP-01 ClusterIssuer, DNS-01 ClusterIssuer with EAB, sample Certificate, EAB Secret template, README). Full integration guide on the wiki and on https://ucm.tools/docs.

Changed

  • ACME audit & RBAC hardening. Challenge state transitions now produce audit records on terminal states (valid / invalid) instead of every poll, eliminating audit log noise. account.key_change (RFC 8555 §7.3.5) is audited. delete:acme permission added to the operator role to match write:acme.
  • ACME backup/restore parity. acme_eab_credentials is now exported and restored alongside acme_accounts; full account fields (contact, status, terms-of-service, external-account-binding metadata) are now round-tripped end-to-end.

Fixed

  • backend/services/ssh_cas.py — converted f-strings containing escape sequences to raw f-strings to silence Python SyntaxWarning: invalid escape sequence on 3.12+.

Full history: CHANGELOG.md

Installation

Docker (Recommended)

# From Docker Hub
docker pull neyslim/ultimate-ca-manager:2.141

# Or from GitHub Container Registry
docker pull ghcr.io/neyslim/ultimate-ca-manager:2.141

# Run
docker run -d -p 8443:8443 \
  -e SECRET_KEY=$(openssl rand -hex 32) \
  --name ucm neyslim/ultimate-ca-manager:2.141

Debian/Ubuntu

wget https://github.com/NeySlim/ultimate-ca-manager/releases/download/v2.141/ucm_2.141_all.deb
sudo dpkg -i ucm_2.141_all.deb
sudo apt-get install -f

Fedora/RHEL

wget https://github.com/NeySlim/ultimate-ca-manager/releases/download/v2.141/ucm-2.141-1.fc43.noarch.rpm
sudo dnf install ./ucm-2.141-1.fc43.noarch.rpm

Silent/Automated Install

# Skip firewall prompts for CI/automation
sudo UCM_PORT=8443 UCM_FIREWALL=no dpkg -i ucm_2.141_all.deb

Default Credentials

  • Username: admin
  • Password: Check /etc/ucm/ucm.env after install, or shown during install

Change the password immediately after first login!

Documentation

Contributors

Hemsby
Assets 5
Loading